ACL block TCP traffic one way.

Answered Question
Jul 15th, 2010
User Badges:

Hi,


Got servers in vlan 10 ip range 10.0.0.0 and servers in vlan 20 ip range 20.0.0.0 at the same layer 3 switch. (c6509 sup720)


I would like to block TCP traffic initiated from Vlan 20 to Vlan 10.

But the servers in Vlan 10 needs to be able to open an TCP connections to Vlan 20


did test with the ACL thats blocking (ack/established/syn) but unable to get it to work.

Or it works both directions or is works non directions..


ip access-list extended test-in
deny tcp 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 established
permit ip any any


Your help is appreciated.

Thanks,

Gerrit

Correct Answer by Nagaraja Thanthry about 7 years 1 week ago

Hello,


If you want to stop VLAN 20 from opening connection to VLAN 10, then you need to block SYN from VLAN 20.


ip access-list extended test-in

permit tcp 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 ack

deny tcp 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 syn

permit ip any any



int vlan 20

ip access-group test-in in


Hope this helps.


Regards,


NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Alen Danielyan Thu, 07/15/2010 - 05:42
User Badges:

gerritfrans wrote:


ip access-list extended test-in
deny tcp 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 established
permit ip any any


Look, you forget that ACL is applied not only on traffic initiated from one subnet, but also to "reply" traffic. Your packets are delivered to the restricted subnet, but the reply packets also matches the ACL and are blocked.

For example, when 20.0.0.1 is connecting to 10.0.0.1 (which is allowed) the reply packets destined from 10.0.0.0 /24 subnet to 20.0.0.0/24 subnet are blocked as they have to be.


IMHO, you rather need stateful firewall to achieve your target. Set the ACL on the 20.0.0.0 subnet interface and activate ip inspections for tcp, udp and icmp. In that case the holes for reply traffic will be created automatically.

Correct Answer
Nagaraja Thanthry Thu, 07/15/2010 - 06:01
User Badges:
  • Cisco Employee,

Hello,


If you want to stop VLAN 20 from opening connection to VLAN 10, then you need to block SYN from VLAN 20.


ip access-list extended test-in

permit tcp 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 ack

deny tcp 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 syn

permit ip any any



int vlan 20

ip access-group test-in in


Hope this helps.


Regards,


NT

Alen Danielyan Thu, 07/15/2010 - 06:07
User Badges:

And what about udp or icmp traffic?


It is not a good variant, IMHO.


Sorry, I was not enough attentive. My mistake.

Actions

This Discussion